Computer Forensics Chap 1-4
Content
1) IACIS (international association of computer investigation specialist) &
FLECT (federal law enforcement training centre)
2) False
3) Fourth Amendment
4) Vulnerability assessment, intrusion response, and investigation
5) Internet Pornography, Espionage, Abuse of Internet Properties
6) False: As long as the company has a security banner
7) To allow you the ability to cultivate professional relationships with people
who specialize in technical area different from your own specialty.
8) Any of the above
9) An organization has the right to monitor what end users do, and their email is not personal and can be monitored.
10)
True
11)
False
12)
Espionage & email harassment
13)
Professional conduct includes ethics, morals, and standards of
behaviour. It can affect your credibility.
14) It helps you remember what procedures were followed if the case ever goes to court.
It can also be a used as a reference if you need to remember how you solved a
previous problem.
15)
Still being established
16)
To reduce conflicts from competing interests among organizations or
departments and to avoid starting investigations based on organizational/
departmental gains or jealousy.
17)
To provide a sworn statement of support of facts about evidence of
a crime this is submitted to a judge with the request for a search warrant
before seizing evidence.
18)
The affidavit is a sworn statement of support of facts about or
evidence of a crime which is submitted to a judge with the request for a
search warrant before seizing evidence. This includes exhibits (evidence)
that support the allegation to justify the warrant. The affidavit is then
notarized under sworn oath to verify that the information in the affidavit is
true. The affidavit, the warrant, and return of service are basically the
order of the procedure.
Chapter 2
1) Talk to others involved in the case and ask about the incident. Determine
whether law enforcement or company security officers already seized the
computer evidence. Determine whether the computer was used to commit
a crime or contains evidence about the crime.
2) Determine the OS of the suspect computer. List the necessary software to
use for the examination.
3) Case number, name of the investigator assigned to the case, nature of the case, location
where evidence was obtained, description of the evidence, and so on.
4) Identify the risks as in having a set amount of things that can or normally
will happen. Who is the user? What type of equipment?
5) False - because other investigators or persons involved in the case might
alter something in the evidence.
6) True - protects computer or digital equipment safe from static electricity and damaging the
evidence.
7) Only the investigators in the group.
8) Hostile work environment caused by inappropriate Internet use. Sending
harassing e-mail messages
9) To ensure that data isn’t altered
10)
An explanation of basic computer and network processes, a
narrative of what steps you took, a description of your findings, and log
files generated from your analysis tools.
11)
To improve your work. Self-evaluation is an essential part of
professional growth. The critique allows you to identify successful
decisions and actions and determine how you could have improved your
performance.
12)
Chain of custody.
13)
The acquisition officer gives the documentation of the items the
investigating officers collected with computer, including the list of storage
media. The acquisition officer also notes the computer and the OS running
when it was running and photographs all open windows. Crime Scene
Security Log, initial perimeter, inner/outer perimeter if necessary, protect
items of evidentiary value. Documentation of items the investigating
officers collected with computer to include list of storage media,
removable disk, photograph computer setup, and take pictures of the
computer screen if the computer is on.
14)
Disgruntled employee, embarrass management power struggle
between corporations premature release of info on new products.
15)
An interrogation is trying to get a suspect to confess. An interview
is getting info from a witness. Sometimes a witness is questioning might
lose their credibility and turns into a suspect.
16)
When conducting an ACP attorney client privilege you must keep all
findings confidential.
17)
1) memorandum 2) list of key words of interest to the investigation
3) compare bash values 4) BIT STREAM IMAGING 5) documentation private
legal
18)
False
Chapter 4
1) To preserve the digital evidence.
2) Raw Format, Proprietary Formats, Advance Forensic Format
3) fast data transfers and capability to ignore minor data read errors on the
source drive, Requires as much storage space as the original disk or that it
might not collect marginal (bad) sectors on the source drive.
4) to compress or not to compress, Capability to split an image into smaller
segmented files, Capability to integrate metadata into the image file
( date and time , hash values).
5) Expert Witness Format
6) EnCase, SafeBack, and SnapCopy.
7) only specific files of interest to the case
8) fragments of unallocated data in addition to the logical allocated data
9) size of the source drive, whether the source drive be retained as evidence,
how long the acquisition will take, and where the disk evidence is located
10)
There is no limit to the size of data you can write to magnetic tape.
11)
when the suspect computer can't be taken offline for several hours
but can be shut down long enough to switch disks with a Ghost backup,
allowing the investigator to take the original disk and preserve it as digital
evidence.
12)
to ensure at least one good copy of the forensically collected data in
case of any failures
13)
determining whether there's sufficient electrical power and lighting
and checking the temperature and humidity at the location
14)
If the target drive is an external USB drive, the write-protect feature
prevents data from being written to it.
15) Newer Linux distributions automatically mount the USB device, which could alter
data on it.
16) False
The correct command is dcfldd if=/dev/hda1 of=image_file.img
17) Validation
18) A program designed to create a binary or hexadecimal number that represents the
uniqueness of a data set, file, or entire disk
19) md5sum and sha1sum
20) hash=, hashlog=, and vf=
21) 2 GB (a limitation of FAT file systems)
22) 1) amount of data storage needed.
2) the type of RAID server (0, 1, 5, etc.)
3) whether your acquisition tool can handle RAID acquisitions.
4) whether your analysis tool can handle RAID data
5) whether your analysis tool can split RAID data into separate drives
23) False
(They are designed as data recovery tools but are useful in rebuilding corrupt data
when forensics tools fail.)
24) a. Data transfer speeds
b. Access permissions over the network
c. Antivirus, antispyware, and firewall programs
25) ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the
password on the suspect's workstation.
26) ServLet
27) PDServer
28) DiskExplorer for NTFS or DiskExplorer for FAT
29) False
30) TCP/IP and serial RS232 port
31) EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response
32) True
33) True
34) False
35)
FLECT (federal law enforcement training centre)
2) False
3) Fourth Amendment
4) Vulnerability assessment, intrusion response, and investigation
5) Internet Pornography, Espionage, Abuse of Internet Properties
6) False: As long as the company has a security banner
7) To allow you the ability to cultivate professional relationships with people
who specialize in technical area different from your own specialty.
8) Any of the above
9) An organization has the right to monitor what end users do, and their email is not personal and can be monitored.
10)
True
11)
False
12)
Espionage & email harassment
13)
Professional conduct includes ethics, morals, and standards of
behaviour. It can affect your credibility.
14) It helps you remember what procedures were followed if the case ever goes to court.
It can also be a used as a reference if you need to remember how you solved a
previous problem.
15)
Still being established
16)
To reduce conflicts from competing interests among organizations or
departments and to avoid starting investigations based on organizational/
departmental gains or jealousy.
17)
To provide a sworn statement of support of facts about evidence of
a crime this is submitted to a judge with the request for a search warrant
before seizing evidence.
18)
The affidavit is a sworn statement of support of facts about or
evidence of a crime which is submitted to a judge with the request for a
search warrant before seizing evidence. This includes exhibits (evidence)
that support the allegation to justify the warrant. The affidavit is then
notarized under sworn oath to verify that the information in the affidavit is
true. The affidavit, the warrant, and return of service are basically the
order of the procedure.
Chapter 2
1) Talk to others involved in the case and ask about the incident. Determine
whether law enforcement or company security officers already seized the
computer evidence. Determine whether the computer was used to commit
a crime or contains evidence about the crime.
2) Determine the OS of the suspect computer. List the necessary software to
use for the examination.
3) Case number, name of the investigator assigned to the case, nature of the case, location
where evidence was obtained, description of the evidence, and so on.
4) Identify the risks as in having a set amount of things that can or normally
will happen. Who is the user? What type of equipment?
5) False - because other investigators or persons involved in the case might
alter something in the evidence.
6) True - protects computer or digital equipment safe from static electricity and damaging the
evidence.
7) Only the investigators in the group.
8) Hostile work environment caused by inappropriate Internet use. Sending
harassing e-mail messages
9) To ensure that data isn’t altered
10)
An explanation of basic computer and network processes, a
narrative of what steps you took, a description of your findings, and log
files generated from your analysis tools.
11)
To improve your work. Self-evaluation is an essential part of
professional growth. The critique allows you to identify successful
decisions and actions and determine how you could have improved your
performance.
12)
Chain of custody.
13)
The acquisition officer gives the documentation of the items the
investigating officers collected with computer, including the list of storage
media. The acquisition officer also notes the computer and the OS running
when it was running and photographs all open windows. Crime Scene
Security Log, initial perimeter, inner/outer perimeter if necessary, protect
items of evidentiary value. Documentation of items the investigating
officers collected with computer to include list of storage media,
removable disk, photograph computer setup, and take pictures of the
computer screen if the computer is on.
14)
Disgruntled employee, embarrass management power struggle
between corporations premature release of info on new products.
15)
An interrogation is trying to get a suspect to confess. An interview
is getting info from a witness. Sometimes a witness is questioning might
lose their credibility and turns into a suspect.
16)
When conducting an ACP attorney client privilege you must keep all
findings confidential.
17)
1) memorandum 2) list of key words of interest to the investigation
3) compare bash values 4) BIT STREAM IMAGING 5) documentation private
legal
18)
False
Chapter 4
1) To preserve the digital evidence.
2) Raw Format, Proprietary Formats, Advance Forensic Format
3) fast data transfers and capability to ignore minor data read errors on the
source drive, Requires as much storage space as the original disk or that it
might not collect marginal (bad) sectors on the source drive.
4) to compress or not to compress, Capability to split an image into smaller
segmented files, Capability to integrate metadata into the image file
( date and time , hash values).
5) Expert Witness Format
6) EnCase, SafeBack, and SnapCopy.
7) only specific files of interest to the case
8) fragments of unallocated data in addition to the logical allocated data
9) size of the source drive, whether the source drive be retained as evidence,
how long the acquisition will take, and where the disk evidence is located
10)
There is no limit to the size of data you can write to magnetic tape.
11)
when the suspect computer can't be taken offline for several hours
but can be shut down long enough to switch disks with a Ghost backup,
allowing the investigator to take the original disk and preserve it as digital
evidence.
12)
to ensure at least one good copy of the forensically collected data in
case of any failures
13)
determining whether there's sufficient electrical power and lighting
and checking the temperature and humidity at the location
14)
If the target drive is an external USB drive, the write-protect feature
prevents data from being written to it.
15) Newer Linux distributions automatically mount the USB device, which could alter
data on it.
16) False
The correct command is dcfldd if=/dev/hda1 of=image_file.img
17) Validation
18) A program designed to create a binary or hexadecimal number that represents the
uniqueness of a data set, file, or entire disk
19) md5sum and sha1sum
20) hash=, hashlog=, and vf=
21) 2 GB (a limitation of FAT file systems)
22) 1) amount of data storage needed.
2) the type of RAID server (0, 1, 5, etc.)
3) whether your acquisition tool can handle RAID acquisitions.
4) whether your analysis tool can handle RAID data
5) whether your analysis tool can split RAID data into separate drives
23) False
(They are designed as data recovery tools but are useful in rebuilding corrupt data
when forensics tools fail.)
24) a. Data transfer speeds
b. Access permissions over the network
c. Antivirus, antispyware, and firewall programs
25) ProDiscover provides 256-bit AES or Twofish encryption with GUID and encrypts the
password on the suspect's workstation.
26) ServLet
27) PDServer
28) DiskExplorer for NTFS or DiskExplorer for FAT
29) False
30) TCP/IP and serial RS232 port
31) EnCase Enterprise, ProDiscover Investigator, and ProDiscover Incident Response
32) True
33) True
34) False
35)
